MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2865a12b350dd2ea38de20b7b2a97f968c929114e408fa901b1e5a100b7c5ef4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2865a12b350dd2ea38de20b7b2a97f968c929114e408fa901b1e5a100b7c5ef4
SHA3-384 hash: 56a2560597fe74d9441b04e17a320d75768de3332f25b3e65126bcbf73694f9f9abf47d1b96ec18207282cab55abe7c0
SHA1 hash: adb2d3b58dbad82db72d4350c7b5544257287361
MD5 hash: 683bb2af463da72180707122c28a36e9
humanhash: sink-march-butter-montana
File name:Ovbm.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:448'000 bytes
First seen:2020-06-08 12:44:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c2189e4af44925dc118507f063755e89 (2 x AgentTesla)
ssdeep 12288:8dPtb7MgT2HIovZq8Ccoq4McalWmncimv1TTd:8xt8HRxquF4zalWmnZ0tT
Threatray 11'031 similar samples on MalwareBazaar
TLSH 56941281EB4114B5F00C497AD62B2E71A69DF01A7B8E2F115F258ACEF7B09F77B11902
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.selatours.at
Sending IP: 62.218.79.250
From: dhlSender@dhl.com <dhlSender@dlhl.com>
Subject: DHL Shipment Returned/On Demand Delivery
Attachment: DHLCBJ191245168642_ExpressNotification.docm

AgentTesla payload URL:
http://www.nesilgroup.com.tr/wp-content/Ovbm.exe

AgentTesla SMTP exfil server:
mail.stalexinc.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 12:45:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
1a9ababb0d36f8e517a5054495b624979525b05a425438e295f09578a21bcd7a
AgentTesla
47c8fab622177ddaa495e4b9294c0949be6c7572ef15f831ee7c326af0200ccb
AgentTesla
573bf62a057b251920724ed4b890c79beef4fc52b9355038eddbcdd58957986b
AgentTesla
7927d24010f7ec25ea4026291036fbab975b5ff66398658e15c59165bb71e953
AgentTesla
8693d6aaa3f5cb0e2c6e725eaa9d6abf1bcf8f8390625767312b5af32e204118
AgentTesla
a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7
AgentTesla
c04c4bb521cb18dc16fbacc4220c0f854bfadfdc0c016ec6fd868d52fe8c3e08
AgentTesla
c0c9d39c38d2a11f2fecbdef73f915ffc29f2d4c1b40817fa8dcf51233d66c12
AgentTesla
c885dc67b25339b6b1567e5b6e541eca318a61736d9c66569ad8241b9f10d87b
AgentTesla
dbbaf0499e544e3832699110f71f62a521ec93cc8a74656c92af7023f554d897
AgentTesla
+ 11'021 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-29z5bdc8tx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Word file docm 1a9ababb0d36f8e517a5054495b624979525b05a425438e295f09578a21bcd7a

AgentTesla

Executable exe 2865a12b350dd2ea38de20b7b2a97f968c929114e408fa901b1e5a100b7c5ef4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/383177/
  
Dropped by
MD5 f5835c266d2072e7aa97548f4bdcde28
  
Dropped by
SHA256 1a9ababb0d36f8e517a5054495b624979525b05a425438e295f09578a21bcd7a
  
Delivery method
Distributed via web download

Comments